Disabling The Rpf Check - HP 7102dl - ProCurve Secure Router Configuration Manual

Network Monitoring
Configuring Network Monitoring
9-40
ProCurve(config-policy-class)# allow list MatchPrimary
ProCurve(config-policy-class)# ip policy-class Secondary
ProCurve(config-policy-class)# allow list MatchSecondary
ProCurve(config-policy-class)# exit
ProCurve(config)# interface ethernet 0/2
ProCurve(config-eth 0/2)# access-policy Primary
ProCurve(config-eth 0/2)# interface demand 1
ProCurve(config-demand 1)# access-policy Secondary
ProCurve(config-demand 1)# exit
ProCurve(config)# ip policy-class NATInside
ProCurve(config-policy-class)# nat source list MatchLocal interface ethernet 0/2
overload policy Primary
ProCurve(config-policy-class)# nat source list MatchLocal interface demand 1 over-
load policy Secondary
ProCurve(config-policy-class)# exit
ProCurve(config)# interface ethernet 0/1
ProCurve(config-eth 0/1)# access-policy NATInside

Disabling the RPF Check

The ProCurve Secure Router OS firewall checks incoming traffic and deter-
mines whether it has arrived on a valid interface by looking up the source
address in the routing table. While network monitoring changes the active
route, traffic may seem to be arriving on an invalid interface. You must disable
this check so that the firewall does not drop traffic.
You disable the RPF check on a particular ACP. When you apply that ACP to
an interface, the router forwards incoming traffic allowed by the ACP regard-
less of whether this traffic seems to arrive on the correct interface.
If you have properly set up NAT, you have already created ACPs to control
incoming traffic on the primary and secondary WAN interfaces. (See "Using
NAT with Network Monitoring" on page 9-37.) Enter this command, from the
global configuration mode context, to disable the RPF check on these
two ACPs:
Syntax: no ip policy-class <policyname> rpf-check